Warning about Amazon RDS snapshots, a newly found ransomware strain, etc.
Welcome to Cybersecurity today. Today is Friday, November 18, 2022. I’m Howard Solomon, a cybersecurity correspondent for ITWorldCanada.com.
Organization of use Amazon’s relational database service — called RDS — is being warned that improperly secured snapshot backups could be a source of personal information for hackers. The warning comes from researchers at Mitiga, who have found a way to scan, clone and extract sensitive data from RDS snapshots. Administrators typically store these snapshots in a separate database. But if that database is exposed on the internet or shared with someone, the snapshot can be copied by hackers. Worse, the researchers say, with some work, a hacker can find the source of a snapshot and threaten to reveal the data unless the organization pays them. In doing their work, the researchers found 2,783 snapshots around the world, 810 of which are publicly accessible. Mitiga says RDS administrators and users should take care to securely configure and encrypt these snapshots.
Just over a year ago IT and security leaders have been warned to patch the Log4Shell vulnerability in applications that use the log4j2 logging library. This week, the US Cybersecurity and Infrastructure Security Agency (CISA) warned IT and security leaders to ensure that all of their systems are patched for this vulnerability. They issued that warning after discovering that threat actors sponsored by the Iranian government used that vulnerability last February to compromise a federal organization through an unpatched VMware Horizon server. . The attackers used their access to access the organization’s domain controllers, compromised credentials, and then implanted reverse proxies on several servers for persistence. The warning urges administrators with VMware Horizon not to immediately install patches or workarounds to assume they have been compromised and take action.
Individual, CISA has issued a basic paper on the tactics of the Hive ransomware gang. Security teams can use the information to look for signs of compromise.
Meanwhile, Researchers at Blackberry have identified a new type of ransomware they call ARCrypter. First hit on organizations in Chile and Columbia in August, BlackBerry said victims in Canada and China uploaded examples with similar code to the VirusTotal scanner for testing. That shows that the people behind this line of ransomware are pursuing organizations around the world.
Hackers are still using Old tricks to fool unsuspecting victims. One of them is an email or text that says, ‘We noticed an unusual login on your account. Please click here for account security.’ The click takes the victim to a fake website where they are asked to log in to confirm or change their username and password. The goal is to steal the login credentials. In a blog this week, researchers at Armorblox said scammers recently attempted to send such a message to students at an unnamed educational institution. The message looks like it’s coming from Instagram. If you receive a message like this, ignore it. Legitimate companies do not send messages this way. Instead, they’ll ask you to go to the app’s login page the way you normally would to check or change your password.
Final, if you use the Firefox browser, make sure it’s running the latest version. An update was released this week to patch several vulnerabilities. You should be on version 107.
Later today, the Weekly Review version of the podcast will be available. Guest David Shipley and I will discuss what organizations experiencing cyber attacks should say publicly.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts, or add us to Flash Summary on your smart speaker.